29a-7.011

从29A上收集的病毒源码

Anti-Virus Companies: Tenacious Spammers
Wed Jan 28 04:46:28 EST 2004
Brian Martin [jericho@attrition.org]
No one can argue that the spam problem is getting better. Despite advances in 
anti-spam technology and legislation against spam, unwanted junk mail is flowing 
into our inboxes at an increased rate. Stock tips, enhancement drugs, Nigerian 
scams, DVD copy software and hundreds of other products or services get shoved 
in our face.
For roughly three years, the Internet has seen worms that spread via e-mail, 
often taking addresses out of the infected machine's web cache, user addressbook 
or other sources. Some of these worms will also forge/spoof the "From:" line so 
the mail appears to be from someone else, in an attempt to make the mail more 
'trusted'. To be clear, here is a sample timeline of how these work:

  EvilGuy01 writes and releases a new worm. 
  Fred is a moron and clicks on an attachment from a stranger, infecting his 
  machine. 
  The worm mails a copy of itself to everyone in Fred's addressbook. 
  The mail sent out spoofs the headers of the mail so it may be "From: George" 
  or "From: Sally". 
  Tom gets a copy of the mail "From: Sally" and clicks on the attachment, 
  infecting himself. 
  Tom sends mail to Sally complaining about her evil shenanigans. 
  Sally replies to Tom with "d00d WTF?! lol" since she never sent the mail. 
The concept is very simple, and extremely effective. Anti-Virus companies are 
well aware of this trait present in many "mm" (Mass Mailing) worms. Reading 
through their descriptions, they document each worm that spreads itself in this 
fashion. Looking at one example on the McAfee site:

  W32/Mydoom@MM generates emails with a spoofed From: field, so incoming 
  messages may appear to be from people you know. Furthermore, the subject line 
  and message body are both randomly generated by the worm. 
Each of these Anti-Virus or mail gateway companies tend to configure their 
products to do the same thing. If a piece of mail comes in with a known virus, 
trojan, worm or taboo attachment, it will stop the mail from reaching the 
intended recipient, notify the administrator, and either quarantine or delete 
the hostile content. Simple and effective. However, each of these companies also 
has their product mail the person who sent in the hostile content saying "You 
are infected" in so many words. While such intentions are noble, think about the 
reality of what is happening. For over three years, these worms that forge the 
"From:" address have been sending out millions of mail attempting to propogate 
themselves. For each of these mails that reach an Anti-Virus product or gateway, 
they get blocked and replied to.. based on that forged "From:" line. Result? 
Millions more e-mails are sent out to innocent people that never sent the mail 
in the first place.
Spam
Spam is basically defined as "unsolicited junk e-mail". Unsolicited, as in you 
did not request the person/company to send you mail. Junk, as in it contains no 
valuable content or information. When an anti-virus program from a remote system 
mails you out of the blue, tells you that it blocked a virus YOU sent, tells you 
that you are likely infected with a virus and advertises itself, the remote site 
is sending you spam. In the case of the latest worm, I and others have received 
more spam from Anti-Virus products than the worm itself! As you read this, 
Anti-Virus companies are responsible for products that are sending out more 
unwanted mail than the worm itself. The most damning mail from these products 
not only purport to "warn you of infection", but they go so far as to advertise 
the product to you. This is unsolicited commercial e-mail (UCE, aka "spam") in 
its purest form.
Justification
Spammers often try to justify their actions and excuse their unsolicited e-mail. 
Some will say "you can just delete it", or "some of the people we mail may want 
to read it". Many will go so far as to say you mailed them or you "opted in" to 
their e-mail lists. I'm sure that if you ask the Anti-Virus companies why their 
products send this unsolicited mail, you will get this type of answer or 
something equally asinine. With these worms sending out millions of spoofed 
mail, the anti-virus products are also sending out millions of mail, most of 
which never mailed in the first place.
Intent
Some may argue that the Anti-Virus companies don't intend to spam innocent 
users, but this argument is completely without merit. It's a fact that they know 
which worms propogate by spoofing mail. It's a fact that when their customers 
download updates they include an ID or name so the product can identify the 
incoming hostile code. Add these two facts together and you get Anti-Virus 
products that intentionally and knowingly respond to mail addresses it knows is 
forged, that didn't really send the infected message, and has not asked to be 
mailed. The bottom line, Anti-Virus companies sell products that are designed to 
spam innocent users, to the tune of millions of mail a year.
Solution
The solution is simple: when infected mail comes into a network, the message 
should be quarantined, the administrator notified, and nothing else. No mail 
should be sent back to the spoofed "From:" address. If Anti-Virus companies 
think this is a bad choice, at the very least they could configure the products 
not to mail back on worms that they know to spoof headers during propogation. 
Any of the "@MM" named worms should be responded to differently.


This ends the nice section.



It isn't enough that these products send out millions of spam a year. Anti-Virus 
programs are guilty of several other crimes against the Internet and they need 
to be stopped. The following section will look at some of these products, their 
spam and observations about their behavior.
The Name Game
What virus did I supposedly send to Joe User on your network? In the wake of the 
latest worm outbreak (aka W32.Novarg.A@mm), many people were reminded of the 
horrid state of the Anti-Virus industry when it comes to naming worms and 
viruses. Based on the spam I received from these companies, we have at least 
eight different names for the same worm, probably a lot more.
  Norton AntiVirus - W32.Novarg.A@mm 
  RAV AntiVirus - Win32/Mydoom.A@mm 
  GroupShield for Exchange - W32/Mydoom@MM 
  BorderWare MXtreme Mail Firewall - I-Worm.Novarg 
  InterScan - WORM_MIMAIL.R 
  Antigen - MyDoom.A@m (Norman) worm 
  McAfee - W32/Mydoom@MM 
Novarg? MyDoom? Worm Mimail? Worm SCO? Which is it? If the Anti-Virus industry 
truly had the Internet's interest in mind, they would designate a board to apply 
a standard name to all viruses. Failing this, maintaining some channel of 
communication during the initial discovery phase, they could at least agree on a 
common overall name (Novarg vs MyDoom) before applying their own designations 
(A@m, @MM, .A, etc). While some people argue that giving worms media attention 
only encourages such behavior, there is a positive side. The worms that garnered 
a high amount of media attention received a very standard name since each 
Anti-Virus company wanted to be able to say they too scanned for it.
I am grounded in reality though, and I understand this can't happen for every 
worm or virus lest they sacrifice a little bit and lose their "edge" in the 
business. Their notions of customer interest are second to their bottom line and 
perceived dominance of the industry.
Technical Wonders
Some of the mail these products send out are nothing short of pathetic. In some 
cases, the remote site doesn't include any details as to the original mail, who 
supposedly sent it, who the intended recipient was, or include the headers so 
you have an idea where it was really sent from.
Other warnings tell you that your machine is infected, suggest you scan for 
viruses and contact your administrator. If hundreds of employees in a company 
receive these, they may be diligent and report the mail to their administrator. 
This will cause an increaesd work load on your IT staff, all over events that 
never occured.
Examples and Offenders
In case you have disabled e-mail or deleted your entire inbox before viewing the 
contents, here are some examples of the offending spam being sent out by 
Anti-Virus companies.
AMaViS (http://amavis.org/) sends a very dramatic "V I R U S A L E R T" warning 
that they found a VIRUS and stopped delivery of your email! THANKS GUYS, YOU ARE 
SAVING THE INTERNET ONE COMPUTER AT A TIME.
                   V I R U S  A L E R T

  Our viruschecker found a VIRUS in your email to "pingcat01@yahoo.com".
           We stopped delivery of this email!

    Please check your system for viruses. For more details contact
    your local System Administrator or MIS staff.


While I am contacting my MIS staff (oh wait..), Norton words their mail so 
definitively. Norton is sure that I sent the mail to poor Tony. If we assume the 
administrator of the remote system received a copy of this, as well as Tony and 
myself, at what point does this cross into the bounds of libel? Norton is 
accusing me of a crime that I did not commit. Thanks guys.
Norton AntiVirus found a virus in an attachment you 
(jericho@attrition.org) sent to Tony LaScola.

To ensure the recipient(s) are able to use the files you 
sent, perform a virus scan on your computer, clean any 
infected files, then resend this attachment.

Attachment:  readme.pif
Virus name: W32.Novarg.A@mm
Action taken:  Clean failed : Quarantine succeeded : 
File status:  Infected


RAV AntiVirus (http://www.ravantivirus.com) is nice enough to tell me details of 
the remote system that are often classified as an "information disclosure" 
vulnerability. Not only do I learn the remote system's architecture, they 
blatantly advertise their product to me. This is pure commercial spam.
RAV AntiVirus for Linux i686 version: 8.3.1 (snapshot-20011106)
Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved.
12 more days to evaluate.
Running on host: RMnet.it

The file (part0002:body.zip)->body.scr attached to mail (with subject: 
Server Report) sent by jericho@attrition.org to tna@rmnet.it, 
is infected with virus: Win32/Mydoom.A@mm.
Cannot clean this file.
Cannot delete this file (most probably it's in an archive).
The mail was not delivered because it contained dangerous code.

Scan engine 8.11 for i386.
Last update: Tue Jan 27 04:03:51 2004
Scanning for 89279 malwares (viruses, trojans and worms).

To get a free 60-days evaluation version of RAV AntiVirus v8
(yet fully functional) please visit:

   http://www.ravantivirus.com


MailScanner (http://www.mailscanner.info) warns me that I sent Sandra a virus! 
Oh gnoez! After blatantly advertising their product to me, the real ignorance 
comes in the subsequent mail.
Our virus detector has just been triggered by a message you sent:-
  To: sandra@redoakdesigns.com
  Subject: TEST
  Date: Tue Jan 27 10:45:38 2004
Any infected parts of the message (message.pif)
have not been delivered.

This message is simply to warn you that your computer system may have a
virus present and should be checked.

The virus detector said this about the message:
Report: message.pif contains Worm.SCO.A 
Shortcuts to MS-Dos programs are very dangerous in email (message.pif)
No programs allowed (message.pif)

-- 
MailScanner
Email Virus Scanner
www.mailscanner.info
Mailscanner thanks transtec Computers for their support



This is where I learn that I mailed a user that doesn't exist on the remote 
system. They are also kind enough to actually attach a copy of the virus to this 
mail. If an average user received this and was curious what was supposedly sent 
in their name, they might open it and infect themselves. Good going MailScanner, 
you block the mail from reaching the person (that doesn't exist), but you don't 
delete or quarantine the harmful content. Stellar.
From: Mail Delivery Subsystem (MAILER-DAEMON@host.countystart.org)
To: jericho@attrition.org
Date: Tue, 27 Jan 2004 10:45:44 -0500
Subject: Returned mail: see transcript for details
Parts/Attachments:
   1   Shown     12 lines  Text
   2   Shown    302 bytes  Message, "Delivery Status"
   3   Shown    2.3 KB     Message, "{Virus?} TEST"
   3.1 Shown      6 lines  Text (charset: Windows-1252)
   3.2 Shown    ~21 lines  Text
----------------------------------------

The original message was received at Tue, 27 Jan 2004 10:12:30 -0500
from ool-43533db7.dyn.optonline.net [67.83.61.183]

   ----- The following addresses had permanent fatal errors -----